#!/bin/sh # bashsupport disable=BP5007 # shellcheck shell=sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2006-2015 Daniel Baumann # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: GPL-3.0-or-later # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ## Modified Version of the original file: ## live-build(7) - System Build Scripts ## Copyright (C) 2016-2020 The Debian Live team ## Copyright (C) 2006-2015 Daniel Baumann ## ## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. ## This is free software, and you are welcome to redistribute it ## under certain conditions; see COPYING for details. set -e # Including common functions. if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then . "${LIVE_BUILD}/scripts/build.sh" else . /usr/lib/live/build.sh fi # Setting static variables # shellcheck disable=SC2034 DESCRIPTION="Build rootfs image" # shellcheck disable=SC2034 USAGE="${PROGRAM} [--force]" # Processing arguments and configuration files Init_config_data "${@}" Echo_message "Begin building root filesystem image..." # Requiring a stage file Require_stagefiles config bootstrap binary_chroot # Checking stage file Check_stagefile # Acquire a lock file Acquire_lockfile case "${LB_ARCHITECTURE}" in amd64|i386) # shellcheck disable=SC2034 LINUX="vmlinuz" ;; powerpc|ppc64el|riscv64) # shellcheck disable=SC2034 LINUX="vmlinux" ;; esac case "${LB_INITRAMFS}" in live-boot|dracut-live) INITFS="live" ;; *) INITFS="boot" ;; esac # Creating directory mkdir -p "binary/${INITFS}" if In_list "rootfs" "${LB_CACHE_STAGES}" && [ -d cache/binary_rootfs ] then # Removing old chroot rm -rf binary/"${INITFS}"/filesystem.* # Restoring old cache mkdir -p binary/"${INITFS}" cp -a cache/binary_rootfs/filesystem.* binary/"${INITFS}" # Creating a stage file Create_stagefile exit 0 fi case "${LB_CHROOT_FILESYSTEM}" in ext2|ext3|ext4) # Checking depends Check_package chroot "/sbin/mkfs.${LB_CHROOT_FILESYSTEM}" e2fsprogs # Restoring cache Restore_package_cache binary # Installing depends Install_packages # Remove old image if [ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ] then rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" fi case "${LB_BUILD_WITH_CHROOT}" in true) # shellcheck disable=SC2312 DU_DIM="$(du -ms chroot/chroot | cut -f1)" # shellcheck disable=SC2312 INODES="$(find chroot/chroot | wc -l)" ;; false) # shellcheck disable=SC2312 DU_DIM="$(du -ms chroot | cut -f1)" # shellcheck disable=SC2312 INODES="$(find chroot | wc -l)" ;; esac REAL_DIM="$(Calculate_partition_size "${DU_DIM}" "${LB_CHROOT_FILESYSTEM}")" REAL_INODES="$(Calculate_partition_size "${INODES}" "${LB_CHROOT_FILESYSTEM}")" case "${LB_BUILD_WITH_CHROOT}" in true) dd if="/dev/zero of=chroot/filesystem.${LB_CHROOT_FILESYSTEM}" bs=1024k count=0 seek="${REAL_DIM}" FAKE_MTAB=false if ! Chroot chroot "test -e /etc/mtab" then Chroot chroot "ln -s /proc/mounts/mtab /etc/mtab" FAKE_MTAB=true fi BLOCK_SIZE=1024 if [ "${LB_DM_VERITY}" = "true" ] then # Module dm-verity needs a block size of at least 4k BLOCK_SIZE=4096 fi Chroot chroot "mkfs.${LB_CHROOT_FILESYSTEM} -F -b ${BLOCK_SIZE} -N ${REAL_INODES} -m 0 filesystem.${LB_CHROOT_FILESYSTEM}" mkdir -p filesystem.tmp mount -o loop "chroot/filesystem.${LB_CHROOT_FILESYSTEM}" filesystem.tmp cp -a chroot/chroot/* filesystem.tmp if "${FAKE_MTAB}"; then Chroot chroot "rm -f /etc/mtab" fi umount filesystem.tmp rmdir filesystem.tmp # Move image mv "chroot/filesystem.${LB_CHROOT_FILESYSTEM}" "binary/${INITFS}" # shellcheck disable=SC2312 du -B 1 -s chroot/chroot | cut -f1 > "binary/${INITFS}/filesystem.size" # Removing depends Remove_packages if [ -e chroot/chroot.cache ] then Remove_lockfile mv chroot/chroot chroot.tmp lb chroot_prep remove all mode-archives-binary "${@}" rm -rf chroot mv chroot.tmp chroot lb chroot_prep install all mode-archives-binary "${@}" touch .lock else rm -rf chroot/chroot fi ;; false) dd if="/dev/zero of=binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" bs=1024k count=0 seek="${REAL_DIM}" "mkfs.${LB_CHROOT_FILESYSTEM}" -F -b 1024 -N "${REAL_INODES}" -m 0 "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" mkdir -p filesystem.tmp mount -o loop "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" filesystem.tmp cp -a chroot/* filesystem.tmp umount filesystem.tmp rmdir filesystem.tmp ;; esac # Saving cache Save_package_cache binary ;; jffs2) # Checking depends Check_package chroot /usr/sbin/mkfs.jffs2 mtd-tools # Restoring cache Restore_package_cache binary # Installing depends Install_packages # Remove old jffs2 image if [ -f "binary/${INITFS}/filesystem.jffs2" ] then rm -f "binary/${INITFS}/filesystem.jffs2" fi if [ -n "${LB_JFFS2_ERASEBLOCK}" ] then JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}" fi case "${LB_BUILD_WITH_CHROOT}" in true) Chroot chroot "mkfs.jffs2 ${JFFS2_OPTIONS} --root=chroot --output filesystem.jffs2" # Move image mv chroot/filesystem.jffs2 "binary/${INITFS}" # Removing depends Remove_packages if [ -e chroot/chroot.cache ] then Remove_lockfile mv chroot/chroot chroot.tmp lb chroot_prep remove all mode-archives-binary "${@}" rm -rf chroot mv chroot.tmp chroot lb chroot_prep install all mode-archives-binary "${@}" touch .lock else rm -rf chroot/chroot fi ;; false) mkfs.jffs2 "${JFFS2_OPTIONS}" --root=chroot --output "binary/${INITFS}/filesystem.jffs2" ;; esac # Saving cache Save_package_cache binary ;; plain) if [ -d "binary/${INITFS}/filesystem.dir" ] then rm -rf "binary/${INITFS}/filesystem.dir" fi case "${LB_BUILD_WITH_CHROOT}" in true) if [ -e chroot/chroot.cache ] then # Different from the other LB_CHROOT_FILESYSTEM values: # continue working in the bootstrap chroot, not the generated chroot. # This saves the time to create a full copy of the generated chroot. cp -a chroot/chroot/boot chroot mv chroot/chroot "binary/${INITFS}/filesystem.dir" else rm -fr chroot/chroot # Removing depends Remove_packages fi ;; false) cp -a chroot "binary/${INITFS}/filesystem.dir" ;; esac ;; squashfs) # Checking depends Check_package chroot /usr/share/doc/squashfs-tools squashfs-tools # Restoring cache Restore_package_cache binary # Installing depends Install_packages Echo_message "Preparing squashfs image..." Echo_message "This may take a while." # Remove old squashfs image if [ -f "binary/${INITFS}/filesystem.squashfs" ] then rm -f "binary/${INITFS}/filesystem.squashfs" fi # Remove stale squashfs image rm -f chroot/filesystem.squashfs # Do not display the progress bar if: # - Run with --quiet, or # - stdin is not a terminal (e.g., in CI, cron, etc.) if [ "${_QUIET}" = "true" ] || [ ! -t 0 ] then MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}" fi if [ "${_VERBOSE}" = "true" ] then MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}" fi if [ -f config/rootfs/squashfs.sort ] then MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}" case "${LB_BUILD_WITH_CHROOT}" in true) cp -a config/rootfs/squashfs.sort chroot ;; false) cp -a config/rootfs/squashfs.sort . ;; esac fi # Set squashfs compression type or default to xz if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ] then MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}" else MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}" fi if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ] then MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}" fi case "${LB_BUILD_WITH_CHROOT}" in true) ### https://wiki.debian.org/ReproducibleInstalls/LiveImages ### https://reproducible-builds.org/docs/system-images/ ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes if [ -e config/rootfs/excludes ] then printf "\e[95m[INFO] Found: [config/rootfs/excludes] \n\e[0m" cp -a config/rootfs/excludes chroot/excludes if [ -e chroot/excludes ] then printf "\e[95m[INFO] Found: [chroot/excludes] \n\e[0m" cat chroot/excludes fi printf "\e[95m[INFO] MKSQUASHFS_OPTIONS='%s' \n\e[0m" "${MKSQUASHFS_OPTIONS}" MKSQUASHFS_OPTIONS="-wildcards -ef /excludes ${MKSQUASHFS_OPTIONS}" printf "\e[95m[INFO] MKSQUASHFS_OPTIONS='%s' \n\e[0m" "${MKSQUASHFS_OPTIONS}" fi # Create image Chroot chroot "nice -n 17 mksquashfs chroot filesystem.squashfs ${MKSQUASHFS_OPTIONS}" rm -f chroot/excludes # Move image mv chroot/filesystem.squashfs "binary/${INITFS}" rm -f chroot/squashfs.sort # Removing depends Remove_packages if [ -e chroot/chroot.cache ] then Remove_lockfile mv chroot/chroot chroot.tmp lb chroot_prep remove all mode-archives-binary "${@}" rm -rf chroot mv chroot.tmp chroot lb chroot_prep install all mode-archives-binary "${@}" touch .lock else rm -rf chroot/chroot fi ;; false) if [ -e config/rootfs/excludes ] then MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}" fi nice -n 19 mksquashfs chroot "binary/${INITFS}/filesystem.squashfs" "${MKSQUASHFS_OPTIONS}" ;; esac chmod 0644 "binary/${INITFS}/filesystem.squashfs" # Saving cache Save_package_cache binary ;; none) if [ -d binary ] then rm -rf binary fi case "${LB_BUILD_WITH_CHROOT}" in true) mv chroot/chroot binary ;; false) Echo_message "This may take a while." cp -a chroot binary ;; esac ;; esac if In_list "rootfs" "${LB_CACHE_STAGES}" then rm -rf cache/binary_rootfs mkdir -p cache/binary_rootfs if [ "${LB_CHROOT_FILESYSTEM}" != "none" ] then cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs fi fi # Creating a stage file Create_stagefile # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh